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Abstract. This paper shows that an eavesdropper can always recover 
precisely the private key of one of the two parts of the public key cryp- 
tography protocol introduced by Shpilrain and Ushakov in |7|. Thus 
an eavesdropper can always recover the shared secret key making the 
protocol insecure. 
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1. Introduction 

A seminal paper by Ko-Lee et al. 5 introduced the conjugacy search 
problem as a generalization the discrete logarithm problem in the research of 
a new safe encryption scheme. The former problem states that, given a group 
G and two elements a,b £ G with the information that they are conjugate, 
we need to find at least one x £ G with := x~^ax = b. This problem has 
proved to be computationally hard if the platform group G is chosen to be 
the braid group Bn on n strands. It has been observed that, in some sense, 
Thompson's group F and the braid groups Bn have some similarities. Belk 
proved in his thesis that F and the braid groups have a similar classifying 
space. Dehornoy defined in !4^ a group of parenthesized braids which contains 
both F and Bn in a very natural way. Loosely speaking, the elements of 
F appear as braids, but with merge and splits instead of twists. However, 
for cryptographic purposes, F has still not proved to be a good platform. 
Kassabov and Matucci have proved in ,6, that the simultaneous conjugacy 
problem is solvable, making it insecure to apply the Ko-Lee protocol based 
on the conjugacy problem. Shpilrain and Ushakov in [Jj have proposed to use 
a particular version of the decomposition problem as a protocol and the group 
F as a platform. This new problem is: given a group G a subset X C G 
and two elements a,b £ G with the information that there exist xi, X2 such 
that xiax2 = b, find at least one pair Xi,X2 G X satisfying x'j^aa^g = b. A 
first attack on this protocol was announced by Ruinsky, Shamir and Tsaban 
in |Sj , showing that the paramaters given in should be increased to have 
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higher security of the system. However, in this paper we show that such a 
protocol is insecure, because an enemy can always recover the secret key. 

The paper is organized as follows. In Section |2l and Section |21 we recall the 
protocol and give a description of Thompson's group F. In section |3] we 
show an attack that always recovers the secret key. In section |S1 and Section 
iniwe show another type of attack. In Section [3 and Section |H1 we make some 
comments and we study the complexity of the attack of Section |1J 
Acknowledgements. The author would like to thank Martin Kassabov 
for helpful discussions. 

2. The Protocol 

The protocol proposed in is based on the decomposition problem: given 
a group G, a subset X C G and wi^W2 G G, find a, 6 G X with awih = W2- 
Here is the protocol in detail: 

Public Data. A group G, an element w (z G and two subgroups A,B of G 
such that ab = ba for all a G j4, 6 G B. 

Private Keys. Alice chooses ai £ A, bi G B and sends the element ui = 
aiwbi to Bob. Bob chooses 62 G -B, 02 G A and sends the element U2 = b2wa2 
to Alice. Alice then computes the element Ka = aiU2^i = ai62'W02^i and 
Bob computes the element Kb = 621^102 = 62«i^w&i«2- Since A and B 
commute elementwise, K = Ka = Kb becomes Alice and Bob's shared 
secret key. 

Eavesdropper's Data. Eve has all the public data and the two elements 
ui and U2, observeded during Alice and Bob's exchange. 

3. The Group F and the Subgroups As,Bs 

Thompson's group F can be defined by the following presentation: 

F = {XQ,XI,X2, ... I XnXk = XkXn+i,yk < n) 

The standard introduction to F is 2 . For / = [0, 1] we define PL2{I) to be 
the group of piecewise linear orientation-preserving homeomorphisms of the 
interval / with finitely many breakpoints such that: 

• all slopes are integral powers of 2, and 

• all breakpoints are in the ring of dyadic rational numbers; 

the product of two elements is given by the composition of functions. With 
this operation, it is possible to prove that F = PL2([0, 1]). We recall that 
the elements of F can be uniquely written in the normal form 



such that ii < ... < iu, ji < • • • ^ jv and if both Xj and x^ ^ occur, then 
either Xj+i or x^_^-^ occurs, too. Since Xk = xI,~^xiXq~^ for > 2, the 
group F is generated by the elements xq and xi. The generators x^ of the 
infinite presentation can be represented as piecewise-linear homeomorphisms 
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by shrinking the function xq shown in figure ^ on the the interval [1 — ^,1] 
and extending it as the identity on [0, 1 — 




(0,0) 



(pk-1 



111 3/4 1 



(0,0) 



(pk-\ 



1 



Figure 1. Two generators of the infinite generating set for F. 
For every positive integer k we cah 

■■= 1 

From the definition of Xfc, we get 
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implying that, for t € [v^^i 1]? we have 



which means xqx^^ is the identity in the interval [(/J^,!]. For any s G N, 
Shpilrain and Ushakov define in [7j the following sets 



and 



SBs = {Xs+l-, ■ ■ ■ ,X2s} 

and then define the subgroups Ag := (Sa^) and Bs := (Sbs)- The previous 
argument immediately yields that that every element of Ag commutes with 
every element of Bg (see figure i.e. 

Lemma 3.1 (Shpilrain-Ushakov [7]). For every fixed s £ N, ab = ba for 

every elements a Ag and h £ Bg. 
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Figure 2. An example of an element of ^4^ and one of Bg. 

Notation 3.2. For every dyadic number d G [0, 1] we denote by PL2([0, d]) 
the set of functions which are piecewise linear in [0, d] and the identity on 
[d, 1]. Moreover, if we are given a piecewise linear map defined only on [0, d\ 
we will assume to extend it to [0, 1] by defining it as the identity on [d, 1]. 
We use the same idea to denote PL2{[d, 1]). 

Lemma 3.3 (Shpilrain-Ushakov ^). (i) Ag is the set of elements whose 
normal form is of the type 

Xii ■ ■ ■ Xi^Xj^ . . . Xj_^ 

where ik — k < s and jk — k < s, for all k = 1, . . . ,m. 

(ii) Bs = PL2{[ips,l]). 

Theorem 3.4 (Shpilrain-Ushakov [7]). In Thompson's group F , the normal 
form of an element of a given word w can be computed in time 0{\w \ log \ w\). 



4. Recovering the Shared Secret Key 

We will show now that Eve, by knowing the elements w, ui,U2, can always 
recover one of the two enemies' private keys. She chooses whose key to crack, 
depending on whether the graph of w is above or below the point (ips, ips). 

4.1. Recovering Bob's Private Keys: w{(ps) < ^s- Since w{t) < ips for 
all t G [0, (/7s], we observe the following identity 

U2{t) = b2wa2{t) = wa2{t), Vt G [0, (fs]- 

Therefore, Eve may apply to the left of both sides of the previous 
equation to obtain 

w~^U2{t) = a2{t), yt G [0,(ps] 
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Now Eve has the elements 02, w and M2 = 62 11^02 and she computes 

62 = ti2«2^"'^^W ""^ 

thereby detecting Bob's private keys and the shared secret key K. 

4.2. Recovering Alice's Private Key: w{ips) > (fs- Since w~^{t) < ifg 
for all t € [0, ifs], we have 

By applying the same technique as in the previous subsection Eve can get 
o^^ and therefore ai,6i and the shared secret key K. Alternatively, Eve 
observes 

w~^ui{t) = w~^aiwbi{t) = bi{t), Vt G [(fs, 1] 

and so 

't t£[0,Lps] 

w^^ui{t) t G [ips, 1]. 



hit) 



5. Transitivity of Ag and Bg 

The previous section showed how to recover the shared secret key of one 
of the two involved parts, based on whether the graph of w lies above or 
below the point {ips,ips). However, it is possible to find the shared secret 
key even in the cases not studied in the previous section. More precisely, it 
is possible to attack Alice's word in the case w{ips) < and Bob's word in 
the case w{^ps) > ^fs- We need a better description of the subroups As. If 
s = 1, we observe that Ai = {xqx^^) is a cyclic group. For larger values of 
s, As becomes the full group of piecewise linear homeomorphism on [0, <ps]. 

Lemma 5.1. A2 = PL2 ( [O, |] ) . 

Proof. Let a, b be the two generators of P-L2([0, |]) shown in figure El 
One sees that a = XqX^^Xq ""^ and that b = xqx\x2^ x^^ x^"^ and so a conjuga- 
tion of PL2([0, i]) by Xq yields PL2([0, |]) = {xlaxQ"^ , x^bx^"^) . By Lemma 
13.31 we have 

2 —2 4 —1 —3 A 
XqCLXq = XqX^ -^q G ^2 

x^bxQ ^ XqX^x^ x^ Xq G A2 
so that PL2([0, |]) C A2. The other inclusion is obvious. □ 



Theorem 5.2. As = PL2{[0,ips]), for every s>2. 
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(0,0) 1/2 1 (0,0) 1/4 1/2 1 

Figure 3. The two standard generators for PL2([0, \]). 

Proof. A straightforward computation shows that 

XoipL2([0,^,])a;o = PL2([0, ^s+i]), Vs > 0. 
Therefore A2 = PL2([0, (p2\) and the definition of Ag imply 

PL2([0, ips]) = xl~^A2xl-' C yl, C PL2([0, ^s\) 

therefore implying that Ag = PL2([0, (/?s])- D 
Corollary 5.3. As = Bs = F, for every s>2. 

The previous Theorem and Lemma 2.5 in |Bj yield the following corollaries: 

Corollary 5.4. For any ^1,^2 ^ ^ [^] ^ [Civ's] can construct an a ^ Ag 
with a{ti) = t2- 

Corollary 5.5. Let to S Z [i] n [0,(/9<j] and a{t) = a\[o^to] ^or an element 
a (z As- Assume we know a, but that we do not know a. Then we can 
construct an Ua S As such that aa{t) = a{t) for all t E [0, fs]- 

Remark 5.6. The analogues of the last two corollaries are true for the 
interval [ips, 1] and Bs too. 

6. Using Transitivity to Attack the Shared Secret Key 

With the new description of Ag and Bg given in section[21 it is now possible 
to attack the secret keys in the cases left open from section |1I 
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6.1. Attacking Alice's word for the case w{ips) < ^Ps- We have 

ui{t) = aiw{t),yt G [0,(ps], 

thus 

ai{t) = uiw^^ {t),\/t G [0, 

and so ai is uniquely determined in [0,w{ifs)]- We apply corollary 15.51 to 
find an element a„ G As such that Ua = ai on the interval [0,w{(ps)]- If we 
define 

then we have that 

Therefore ha G Bg and a^whu = ui and so Eve can recover the shared secret 
key K by using the pair (co-, fco-). 

Remark 6.1. We observe that any extension of ai|[o,«;((/33)] to an element 
of P-L2([0, ^ps]) will yield a suitable element to attack Alice's key. Moreover, 
any element a'^ G Ag such that a'^wb'i = ui, for some suitable b'l G Bg, will 
be an extension of ai|[o,,i,(<^s)]- 

6.2. Attacking Bob's word for the case w{ips) > tps- Eve considers 
^ = a2^w~^b2^ and recovers a pair (a~^, to get the shared secret key 

in the same fashion of the previous subsection. 

Remark 6.2. Both the techniques of this section have been carried out 
using the transitivity of Ag. They can also be solved by using the analogue 
of corollarv 15.51 for Bg to get another pair {aa,bo-) which can be used to 
retrieve the secret key. 

7. Comments and Alternatives to the Protocol 

7.1. Choice of the subgroups A and B. It is known that the intersection 
of centralizers of elements C = Cpifi) fl . . . n Cp^fm) is determined by a 
dyadic partition of [0, 1] = Ii U . . . U /„ such that C\i. = {f\ij ■ f G C} is 
either isomorphic to PL2{Ij) or to Z or to the trivial group (see ^ for a 
reference) . Going back to the protocol introduced in section [21 we observe 
that, after we choose a finitely generated subgroup A= (/i, . . . , fm), we are 
very restricted in our choice of the subgroup B. Loosely speaking, B will 
have to be a subgroup centralizing A and therefore, by the structure of the 
intersection of centralizers, we must make sure that B\i. is the trivial group 
in the intervals where A\i. is non-trivial and it can be non-trivial only in the 
intervals where A\t. is trivial. Moreover, even with a different choice of A 
and B the same type of attack as in section 0] would find the shared secret 
key of this protocol, because section 0] did not rely on the transitivity of A 
and B as the attacks of section |H1 did. 
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7.2. Alternative Protocol and Attacks. Ko-Lee et al. introduced a 
slightly different protocol based on the decomposition problem in their paper 
0. In their protocol, Alice picks oi,a2 ^ A and sends ui = aiwa2 to Bob, 
while Bob chooses 61,62 G B and sends U2 = 61^62 to Alice. We can 
still attempt to solve this new protocol, by again dividing the problem into 
various cases. We assume to use the same subgroups As and Bg to work 
in the case w{(ps) < and to show how to attack the private keys of 
Bob. We apply the analogue for Bs of Corollarv 15.41 and find a 60 such that 
bQ'^{w^'^{ips)) = U2^{lPs) = b2'^w~'^{Lps)- We define 

6'i = 61 

b'2 = 6260 ' 
u'2 = b'iwb'2 

so that b'2{w~^{(ps)) = w~^{ips) > (fs- Thus we have 

= b'^{t)wb'2{t) = wb2{t),yt G [0,w-^{ips)] 

and so 

b'2{t) = w-^u'2{t),\it G [Q,w-^{lPs)]. 

and so b'2 is uniquely determined in \^,w~'^{^ps)]- We apply corollarv 15.51 for 
Bs to find a 60-2 £ Bg such that 60-2 = ^2 [0; '^^""'^('/'s)] and we define 

6^1 := U26~2^u;~^ 

Thus 

b,,{t) = b'^wb'2b-lw-\t) = b'S) = tyt G [0,^,] 

and so b^^ G Bg. Therefore the pair (60-1)60-2) satisfies u'2 = ba-i'wba-2 and so 
Eve can recover the shared secret key K. A similar argument can be done 
to attack the element aiwa2, with the transitivity results for Ag. 

7.3. A comment on the Alternative Protocol. The weakness in the 
protocol discussed in the previous subsection arises from the fact that the 
chosen subgroups Ag and Bg are transitive on the intervals in which they 
act nontrivially. This suggests that, in order to avoid the previous attacks, 
A and B should be chosen to be subgroups which are not transitive. 

8. Complexity 

Lemma 8.1. Let a (z Ag and b ^ Bg such that their normal forms are 

a = Xi-^^ . . . Xi^Xj^ . . . Xj_^ 

U — Xci . . . -^Cu-^d^ ■ ■ ■ -^di ■ 

Then the normal form of ab is 

ab = Xi^. . . Xi^Xc^+rn ■ ■ ■ Xc^+mX^^j^^ ■ ■ ■ X^^j^^^^X^^ . . . X . 
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Proof. By induction on the indices and using the relations of F. □ 

It is know possible to give an algorithm to find the shared secret key. Section 
13] implies that either zi := wu^^ or Z2 '■= w~^U2 is in AsBg. We write the 
normal forms for zi and Z2- Lemma l8.ll tells us how to find the A^-part 
a^j of Zi. We have to find the smallest index r in the normal form of Zi 
such that either or jV does not satisfy lemma and then a^. will be the 
product of the first r elements of Zi and the last r ones. Computing the 
Bs-part of Ui is now straightforward. Thus we get two candidates Ki and 
K2 for the shared secret key and one of the two must be it, so we check 
it on a message. The complexity of this procedure is given by taking two 
products and writing them in normal form, thereby extracting the ^^-part. 
Moreover, if the lengths of all the given words are less than n, the algorithm 
can be performed in time 0(n log n) by theorem 13.41 We observe that the 
attacks of section [S] and section [7| can be carried out in a similar fashion, 
still producing a solution in polynomial time. 

9. Concluding Remarks 

The previous attacks show that, no matter what parameter s is chosen 
and how long the words w, ai, 02, 62) ^2 are, the attacks always succeed since 
they detect precisely the shared secret key. Moreover, the complexity of this 
procedure relies only on the time that the machine needs to take to write 
normal forms of given products. 
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